Waste a lot of time to investigate in order to find the holy grail of the mobile forensics it’s a great part of my work; I’ve passed many hours to open all browser history of the mobile device we analyze (about 1000 per year) only to understand the sexual taste of the people or to discover how many times a guy searched “lemon party” on google; well, a couple of weeks ago, a colleague say to me “Google Assistant can take screenshots from all the apps you have!”… so strange, some app lock screenshots auth for privacy reason. Time to testing with Telegram Secret Chat… shit happens! With the last version of Telegram and last version of Android! Well done, ladies and gentleman, where screenshots by hotkey is locked by app, you can take screenshots only asking to vocal assistant to do it.
In the vocal assistant settings you can disable the function, BUT, by default, it’s enabled.
Surely it’s not a true security bug (it is major-based to circle-of-trust, not very l33t), BUT, according to Telegram choose to lock-out the possibility to exfiltrate data from a secret chat with screenshots, the behavior of Google Assistant smell like “sudo-print”; it also permit to take some screenshot where some bank app lock those thing (i.e. for reserved generated document).
I think it’s right to report this thing; first, I wrote to Telegram, and Telegram security says to me they’ve reported to Google in july and Big G. says “ok, we well fix soon”. Two weeks ago i’ve reporter and Google says “ok, intended Behavior”; well, GG, I think it’s time for public disclosure.
Also for fun, I’ve made a little not-so-vuln-report to detail these stuff, you can download report.pdf.ex…ehm, report down here. 😊
Cheers and see you soon, lemon-party waiting for me.
Thanks to my colleague, Giuseppe Dezzani, for the hint, last0x00 for the technical review and Viking, VoidSec and Smaury for feedbacks and suggestions.